Nerdy Drunk

Drunk on technology

User Tools

Site Tools


aws:lambda:letsencrypt_wildcard:ec2_role_policy

EC2 Role Policy

Variables to change

  • Region us-east-1
  • AWS account 123456789012
  • S3 bucket certgenbucket
  • Hosted zone IDs Z1111111111111 and Z2222222222222
  • Name certgen
    • SNS topic name used for notifications
    • Parameter name for P12 password
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CopyToS3",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::certgenbucket/*"
            ]
        },
        {
            "Sid": "CopyToACM",
            "Effect": "Allow",
            "Action": [
                "acm:ImportCertificate"
            ],
            "Resource": [
                "arn:aws:acm:us-east-1:123456789012:certificate/*"
            ]
        },
        {
            "Sid": "SendNotification",
            "Effect": "Allow",
            "Action": [
                "sns:Publish"
            ],
            "Resource": [
                "arn:aws:sns:us-east-1:123456789012:certgen"
            ]
        },
        {
            "Sid": "SaveEncryptedPassword",
            "Effect": "Allow",
            "Action": [
                "ssm:PutParameter"
            ],
            "Resource": [
                "arn:aws:ssm:us-east-1:123456789012:parameter/certgen/*/p12password"
            ]
        },
        {
            "Sid": "Getcloudflaretoken",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter"
            ],
            "Resource": [
                "arn:aws:ssm:us-east-1:123456789012:parameter/certgen/*/cloudflare"
            ]
        },
        {
            "Sid": "DNSValidation",
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/Z1111111111111",
                "arn:aws:route53:::hostedzone/Z2222222222222"
            ]
        },
        {
            "Sid": "DNS",
            "Effect": "Allow",
            "Action": [
                "route53:GetChange"
            ],
            "Resource": [
                "arn:aws:route53:::change/*"
            ]
        },
        {
            "Sid": "LocateACMCertificate",
            "Effect": "Allow",
            "Action": [
                "acm:ListCertificates"
            ],
            "Resource": "*"
        },
        {
            "Sid": "LocateDNS",
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones"
            ],
            "Resource": "*"
        }
    ]
}
aws/lambda/letsencrypt_wildcard/ec2_role_policy.txt · Last modified: 2022/07/21 10:41 by 127.0.0.1